The following sections provide information about the default Sentinel settings and how to change the default settings.
Sentinel sets a default limit of 65536 open files for the Sentinel processes. This is sufficient for most installations. However, there might be some scenarios that may cause the Sentinel server to need more open files, such as running a large number of searches or reports concurrently, or running searches and reports that span unusually large time ranges. In such cases you might consider increasing the default open files limit to allow more than 65536 open files.
NOTE:For optimal performance, NetIQ recommends you not to decrease the default limit.
Perform the following steps to change the open file limits:
Log in to the system as the root user.
Open the /etc/security/limits.conf file.
Change the value in the following lines:
novell soft nofile 65536
novell hard nofile 65536
NOTE:Setting the soft limits is optional, however, setting the hard limits is mandatory.
Save the changes.
Restart the Sentinel server.
You can specify the number of processors for mksquashfs to use when compressing the index on the event data. This capability enables the mksquashfs utility to make more use of additional CPUs that may be available on some systems.
Log in to the system as the root user.
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Add or edit the mksquashfs.numprocessors property and specify the desired value. This value specifies the number of processors you want to allow mksquashfs to use.
mksquashfs.numprocessors=4
Save the changes.
Restart the Sentinel server.
Sentinel provides the setmemory.sh script that allows you to change the default memory settings for the Sentinel server. The setmemory.sh script is located in the /etc/opt/novell/sentinel/bin directory.
To make changes to the default memory settings, you must create a setmemory.properties file. The default location for this file is /etc/opt/novell/sentinel/config/setmemory.properties.
You can set the following configuration parameters in the setmemory.properties file:
JAVA_MEM_SERVER: The maximum heap memory (Xmx in MB) allocated to the process.
JAVA_MEM_PERMGEN: The maximum permanent generation memory (in MB) allocated to the process.
JAVA_MEM_BROKER: The maximum amount of memory allocated for the message bus broker. This affects how many connections the message bus broker can accept.
BROKER_MAX_CON: The maximum number of connections the message bus broker can accept.
CORRELATION_INPUT_BUFFER_MAX_SIZE: The memory allocated to hold the Correlation events. By default, 10% of the memory is allocated to hold the Correlation events.
When the server starts, these memory settings in the setmemory.properties file override the default settings.
The event data partitions are closed after one day, and no more events are written to them. Even though the duration for event data partitions is one day, a grace period of 10 minutes is given to accommodate events arriving late.
You can change the default value as necessary. To customize the grace time period to close a partition, perform the following steps:
Log in to the system as the root user.
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Edit the sentinel.events.online.opengraceminutes property to specify the desired value. By default, Sentinel does not set any value to this property. If no value is set, Sentinel considers 10 minutes as the grace time period to close a partition.
Restart the Sentinel server.
Sentinel now sets a limit of 100,000 when copying raw data to prevent raw data from unnecessarily consuming the disk space and causing the system to become unstable. When the limit reaches 100,000, Sentinel automatically deselects the Copy Raw Data to a file option in the Connector configuration window and stops copying the raw data. If you want to collect the raw data again, edit the Connector and select the Copy Raw Data to a file option.
You can also change the default value as necessary.
Log in to the system as novell user.
Open the /etc/opt/novell/sentinel/config/server.conf file.
Edit the wrapper.java.additional.60=-DMAX_DUMP_SIZE=10000 property to the desired value.
Restart the Sentinel server.
Sentinel now supports intruder detection and lockout to prevent potential brute-force attacks. Sentinel provides several configurable parameters that help you implement intruder detection and lockout mechanisms.
failedAuthDelay: Specifies the duration that a subsequent authentication request must wait after a failed authentication for a specific user. The default value is 2000 (2 seconds). If the value is 0, the delay is disabled. Note: You must set this value for each user. If an authentication request for User A fails, it does not cause a delay for an authentication request for User B.
intruderDetectInterval: Specifies the time period in which consecutive failed authentication requests for a user must occur for Sentinel to identify the failures as a possible intruder detection. For example, if the value is 300000 (5 minutes) and four failed authentication requests happen within 4 minutes, but the 5th consecutive request happens 5:01 (minutes:seconds) later than the 1st failed request, Sentinel does not consider the requests suspicious. If the value is 360000 (6 minutes) and the same sequence of failed requests happen, Sentinel considers the requests to be suspicious. The default value for this parameter is 300000 (5 minutes).
intruderDetectMaxFailedAttempts: Specifies the number of consecutive, failed authentication requests that must occur for Sentinel to consider a user name during the intruderDetectInterval for the requests as suspicious. If the value is 0 then intruder detection and lockout is disabled. The default value for this parameter is 5.
intruderDetectLockPeriod: Specifies the duration that a Sentinel user account remains locked when the user account is automatically locked in response to a suspicious series of failed authentication requests. If the value is 0, automatically locked accounts are not automatically unlocked. They must be unlocked manually by an administrator. The default value for this parameter is 900000 (15 minutes).
intruderDetectAdminAutoLock: Specifies whether or not the Sentinel admin account is subject to automatic locking in response to a series of failed authentication requests. The default is false since a denial-of-service attack exists in which an attacker can continually lock the built-in admin account, unless there is a separate administrator account.
The values listed above are defined in the AuthenticationService component of the /etc/opt/novell/sentinel/config/server.xml file. After you make any manual modifications to the values, you must place this component in the component properties override file /etc/opt/novell/sentinel/config/obj-component.AuthenticationService.properties to ensure that the modified settings are not lost during an upgrade.